When using Talend Identity Manager to manage SOAP and REST credentials, how can I authenticate from an outside application?
This article is applicable to the subscription versions of Talend ESB.
Out of the box, Talend ESB provides built-in accommodations to manage credentials for SAML token authentication using Talend Identity Management (Apache Syncope) and the Security Token Service (STS). One key concept behind this configuration is that the use of the STS is contained within the ESB Runtime, therefore both the service provider and client have to run inside of the Runtime. This article explains how to provide a service for various applications and use Syncope to manage credentials.
Since the ESB Runtime is required for SAML clients, a different pathway than SAML and STS is needed to support authentication from general applications. The Runtime container primarily relies on the Java Authentication and Authorization Service (JAAS) based authentication for container administration as well as web service users. Out of the box, JAAS in Karaf is configured to use a properties file for login credentials, specifically etc/users.properties. In order to change this behavior, you need to configure a different Login Module that leverages the authentication source of your choice. Talend provides guidance for switching Login Modules for LDAP or another users file. The solution provided here is to configure JAAS to authenticate using Syncope. To leverage this JAAS configuration with web services, the service must be configured for non-SAML authentication, namely, Basic HTTP Auth for REST or Username/Password for SOAP.
Available within the Karaf libraries is a Syncope Login Module for exactly this kind of use case. A template for this configuration is attached. The address property needs to be configured to reference your Syncope server. Credentials to access Syncope can also be added.
<jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule" flags="required"> address=http://syncope-server:8080/syncope/rest </jaas:module> </jaas:config>
Place the XML file into the deploy folder to install the Login Module, and override the default container Login Module. The next step is to configure the required users in Syncope.
Inside TIDM, define the desired service user credentials. These users will be available for service authentication.
You will also need to define the Runtime container users. Reference the etc/users.properties file for users and roles. These will be needed for future container administration and Talend Administration Center control. For a production deployment, you will want to modify credentials, but for an initial configuration you may want to replicate them directly. Don’t forget to add roles to each user as they appear in users.properties.
Configure your service to require Basic HTTP authentication on tRestRequest or cCXFRS. Deploy the service to the runtime using TAC or the deploy folder.
Configure your service client to use Basic HTTP Authentication and provide credentials. The client can be tRestClient, cCXFRS, or a non-Talend client like Postman, SoapUI or an application. Test the authentication from outside the Talend Runtime container, like from Studio or the testing application.
As of Talend 6.2, there is no packaged feature to support Syncope Auth from applications running outside of the Talend Runtime. But thanks to JAAS, configuring this is only a few steps away.
If you need more details and background on the the Syncope Login Module, you can refer to the following article: